Red Hat Directory Server 8.0 Administrator's Guide
4.2.1. Anonymous Access (anyone Keyword)
Granting anonymous access to the directory means that anyone can access it without providing
a bind DN or password and regardless of the circumstances of the bind. You can limit
anonymous access to specific types of access (for example, read or search access) or to
specific subtrees or individual entries within the directory.
From the Directory Server Console, you define anonymous access through the Access Control
Editor. See Section 5, “Creating ACIs from the Console”.
4.2.2. General Access (all Keyword)
You can use bind rules to indicate that a permission applies to anyone who has successfully
bound to the directory; that is, all authenticated users. This allows general access while
preventing anonymous access.
From the Directory Server Console, you define general access on the Access Control Editor.
For more information, see Section 5, “Creating ACIs from the Console”.
4.2.3. Self Access (self Keyword)
Specifies that users are granted or denied access to their own entries. In this case, access is
granted or denied if the bind DN matches the DN of the targeted entry.
From the Directory Server Console, you set up self access on the Access Control Editor. For
more information, see Section 5, “Creating ACIs from the Console”.
4.2.4. Parent Access (parent Keyword)
Specifies that users are granted or denied access to the entry only if their bind DN is the parent
of the targeted entry.
You cannot set up parent access control using the Directory Server Console.
4.2.5. LDAP URLs
You can dynamically target users in ACIs using a URL with an LDAP filter:
userdn = "ldap:///suffix??scope?(filter)"
For example, all users in the accounting and engineering branches of the example.com tree
would be granted or denied access to the targeted resource dynamically based on the following
URL:
userdn = "ldap:///dc=example,dc=com??sub?(|(ou=engineering)(ou=accounting))"
Defining User Access - userdn Keyword
187